[pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: harinath001 (@harinath001) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
Date: Wed, 04 Mar 2026 20:35:22 +0000
Message-ID: <[email protected]> (raw)

### Context

pgjdbc currently refuses to connect if a private key file has any group or other permissions —
it strictly requires `0600`. That's a safe default, but it's stricter than what libpq (the
reference PostgreSQL C client) actually enforces.

libpq makes a practical distinction: if the key file is owned by root, it allows group-read
(`0640`). This matters in real deployments where a system administrator owns the certificates
and grants read access to a service account via group membership. With pgjdbc's current behavior,
those setups break — even though `psql` and every other libpq-based client works just fine with
them.

For non-root-owned files, libpq is strict: no group or other access. pgjdbc agrees on that part.
The gap is only for root-owned files, and that's what this PR closes.

The relevant check in libpq's `fe-secure-openssl.c` is:
```c
if (buf.st_uid == 0 ?
    buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
    buf.st_mode & (S_IRWXG | S_IRWXO))
```

### Changes to Existing Features:

- The only behavioral change is that root-owned key files with `GROUP_READ` (`0640`) are now
  accepted instead of rejected, matching libpq. All other permission checks remain unchanged.

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing](https://github.com/pgjdbc/pgjdbc/blob/master/CONTRIBUTING.md) document?
* [x] Have you checked to ensure there aren't other open [Pull Requests](../../pulls) for the same update/change?

### New Feature Submissions:

1. [x] Does your submission pass tests?
2. [x] Does `./gradlew styleCheck` pass ?
3. [x] Have you added your new test classes to an existing test suite in alphabetical order?

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox